
oss-sec mailing list archives
CVE Request: devscripts: licensecheck: arbitrary shell command injection
From: Salvatore Bonaccorso <carnil () debian org>
Date: Sat, 1 Aug 2015 07:00:50 +0200
Hi devscripts[0,1] contains a utility licensecheck, a simple license checker for source files. It is as well included at least in Ubuntu and Fedora[2]. Jonas Smedegaard[3] (and Jakub Wilk with a follow-up message) reported that licensecheck is prone to arbitrary shell command injection via shell metacharacters in filenames. The issue was introduced in devscripts v2.15.5[4] and fixed in v2.15.7[5]. Could you please assign a CVE to identify this issue? Regards, Salvatore [0] https://packages.debian.org/devscripts [1] https://anonscm.debian.org/cgit/collab-maint/devscripts.git/ [2] http://pkgs.fedoraproject.org/cgit/devscripts.git/ [3] https://bugs.debian.org/794260 [4] https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=025ad4ea8ba92d32bd698a83149f782c17f78bf0 [5] https://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=c0687bcde23108dd42e146573c368b6905e6b8e8
Current thread:
- CVE Request: devscripts: licensecheck: arbitrary shell command injection Salvatore Bonaccorso (Jul 31)
- Re: CVE Request: devscripts: licensecheck: arbitrary shell command injection cve-assign (Aug 01)